Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-lambda): Use PoLP inline IAM policies instead of AWS managed policies #31756

Open
2 tasks
LyndonHook opened this issue Oct 15, 2024 · 2 comments
Open
2 tasks

(aws-lambda): Use PoLP inline IAM policies instead of AWS managed policies #31756

LyndonHook opened this issue Oct 15, 2024 · 2 comments
Assignees
@5d
Labels
@aws-cdk/aws-lambda Related to AWS Lambda effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2

Comments

@LyndonHook
Copy link

LyndonHook commented Oct 15, 2024
edited
Loading

Describe the feature

Lambdas are created with inline policies that follow PoLP instead of AWS managed policies.

Use Case

Currently Lambdas are created with AWS managed policies for logging and VPC access.

AWS managed policies used by the CDK:

  • AWSLambdaBasicExecutionRole
  • AWSLambdaVPCAccessExecutionRole

In most cases AWS managed policies are considered overly permissive and customer managed policies should be used in their place.

Lambdas should be created with sensible defaults based on AWS best practices.

Proposed Solution

The CDK creates Lambdas without using AWS managed policies. Instead, it uses custom inline policies based on the PoLP.

Other Information

Existing GitHub discussion

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.162.1

Environment details (OS name and version, etc.)

Ubuntu 24.04.1
@LyndonHook LyndonHook added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Oct 15, 2024
@github-actions github-actions bot added the @aws-cdk/aws-lambda Related to AWS Lambda label Oct 15, 2024
@pahud
Copy link
Contributor

pahud commented Oct 15, 2024

Thank you for bringing this up to our attention. I'll check with the team and see if there's any update for this.

@pahud pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Oct 15, 2024
@5d 5d self-assigned this Oct 30, 2024
@5d
Copy link
Member

5d commented Oct 30, 2024

Hi @LyndonHook,

I'm looking into solutions for this issue and will keep you updated as soon as I have more information.

@github-actions github-actions bot mentioned this issue Nov 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@5d 5d

Labels
@aws-cdk/aws-lambda Related to AWS Lambda effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pahud @5d @LyndonHook